As those are 'FORCE' parameters, one might consider it correct that, even though one is set to 'false', both will be via HTTPS.

However, WordPress is currently missing an option to have ONLY the login data sent encrypted and go on to the admin interface via a normal (non-encrypted) connection. That scenario requires additional redirections on the webserver.